关联漏洞
标题:
Microsoft Windows Netlogon 安全特征问题漏洞
(CVE-2020-1472)
描述:Microsoft Windows Netlogon是美国微软(Microsoft)公司的Windows的一个重要组件,主要功能是用户和机器在域内网络上的认证,以及复制数据库以进行域控备份,同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。
描述
CVE-2020-1472 - Zero Logon vulnerability Python implementation
介绍
![Python][python-shield]
# CVE-2020-1472
CVE-2020-1472 - Zero Logon vulnerability Python implementation
## Description
* A Python script which uses the Impacket library to test for CVE-2020-1472 - Zerologon vulnerability (credits to Secura research).
* The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
* Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized – meaning an attacker could control the deciphered text.
* "Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.
* The script attempts to perform Netlogon authentication bypass. The script will terminate when succesfully
performing the bypass.
* When a domain controller is patched, the script will stop after sending 2000 pairs of RPC calls (target is not vulnerable with a false negative chance of 0.04%).
* Note that by default this changes the password of the domain controller account. This allows to DCSync, but it also breaks communication with other DCs.
* More info and original research [here](https://www.secura.com/blog/zero-logon)
## Prerequisites
```
pip install impacket
```
or Download the impacket release [here](https://github.com/SecureAuthCorp/impacket/releases). Unpack it, and in the directory where you placed it, run:
```
pip install .
```
## Usage
Given a domain controller named `DC-NAME` with IP address `X.X.X.X`, run the script as follows:
python cve-2020-1472.py DC-NAME X.X.X.X
The DC name is the NetBIOS computer name. If this name is not correct, the script will fail with a
`STATUS_INVALID_COMPUTER_NAME` error.
[python-shield]: https://img.shields.io/badge/python-3.6-green
文件快照
[4.0K] /data/pocs/1c5cd28d963586446eabec5fd27af08e5f201f9b
├── [3.1K] cve-2020-1472.py
└── [2.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。